Windows Update: Dual Scan Issues on Windows 10

Personally, I was very surprised that in some cases computers running Windows 10 may not get updates from the local WSUS server trying to access Microsoft update servers instead, despite the fact that the WSUS server on clients is configured through standard WSUS group policy. This problem is related with the term Dual Scan.

Dual Scan is the combination of settings in Windows 10 1607 or higher that makes clients ignore the settings of the local WSUS server also trying to scan external Windows Update servers for new updates. For the first time these issues were reported in May, 2017.

Both WSUS server and WU servers are scanned for updates, but a client accepts updates only from WU servers. Thus, all updates/patches from the local WSUS server that refer to Windows will be ignored by such clients. It means that they get Windows updates from the Web and the updates of drivers and other software— from WSUS.

In my case two standard policies to update the PC from the local WSUS server were enabled on the problem client in Computer Configuration\Administrative Templates\Windows Components\Windows Update section:

Configure Automatic Updates

Specify intranet Microsoft update service location

At the same time, the Defer Upgrades and Updates option is checked in Update & security -> Windows Update -> Advanced options (the setting is the same to ‘Select when Feature Updates are received’ policy).

With this combination of settings, the clients stop receiving Windows updates from the internal WSUS server.

Thus, Dual Scan occurs with the following combinations of policies (or equivalent registry keys or settings on Windows 10 clients):

The address of the local WSUS server is set in the Specify intranet Microsoft update service location policy

One of the policies that allow to defer updates in Windows Update for Business concept is enabled:

Select when Feature Updates are received

Select when Quality Updates are received

Tip. These policies are located in Computer Configuration\Administrative Templates\Windows Components\Windows Update\Defer Windows Updates. Due to these policies, a user can defer Windows 10 upgrades, so the OS is switched to Current Branch for Business. Security updates cannot be deferred.

To eliminate Dual Scan and make clients search for Windows updates only on the local WSUS server, enable the policy Do not allow update deferral policies to cause scans against Windows Update in Computer Configuration\Administrative Templates\Windows Components\Windows Update.

This policy is found in Windows 10 1607, however, by default it is not present in Windows 10 1703. To see this GPO setting, install update KB4034658 from August 8, 2017.